1、Dailog要置顶需要在对话框资源属性里设置TopMost才能生效;

2、调整代码结构

Source/Assist/Assist/Assist.cpp

@@ -4,16 +4,14 @@
 #include "stdafx.h"
 #include "Assist.h"
 
-// 8组寄存器存储;
-BYTE byEAX[8] = {0};
-BYTE byEBX[8] = {0};
-BYTE byECX[8] = {0};
-BYTE byEDX[8] = {0};
-BYTE byEBP[8] = {0};
-BYTE byESP[8] = {0};
-BYTE byESI[8] = {0};
-BYTE byEDI[8] = {0};
+// 全局CallData;
+CALLDATA _cd_Go;
+CALLDATA _cd_Connect;
+CALLDATA _cd_Disconnect;
+CALLDATA _cd_CheckFW;
+CALLDATA _cd_SaveAsOutputData;
 
+// 8组寄存器存储;
 DWORD dwEAX = 0;
 DWORD dwEBX = 0;
 DWORD dwECX = 0;
@@ -23,11 +21,98 @@ DWORD dwESP = 0;
 DWORD dwESI = 0;
 DWORD dwEDI = 0;
 
-// 新的Call;
-BYTE byNewCall[5] = {0};
+// 定义跳转函数;
+void Call_MyDisconnect();
+void Call_MyConnect();
+void Call_MyGo();
+void Call_MyCheckFW();
+void Call_MySaveAsOutputData();
+// 其他函数;
+void SetChannel(int nChannel);
+void SetSN(LPCTSTR lpSN);
+void ChangeSDK(int nSDK);   // 0=410SDK, 1=310SDK;
+
+void InitCallData()
+{
+    // Go
+    _cd_Go.myCall = Call_MyGo;
+    _cd_Go.dwBack2Addr = 0x00417B2A;
+    _cd_Go.dwOriginalAddr = 0x00417B25;
+
+    // Connect
+    _cd_Connect.myCall = Call_MyConnect;
+    _cd_Connect.dwBack2Addr = 0x00417B2A;
+    _cd_Connect.dwOriginalAddr = 0x00417B25;
+
+    // Disconnect
+    _cd_Disconnect.myCall = Call_MyDisconnect;
+    _cd_Disconnect.dwBack2Addr = 0x00417B2A;
+    _cd_Disconnect.dwOriginalAddr = 0x00417B25;
+
+    // CheckFW
+    _cd_CheckFW.myCall = Call_MyCheckFW;
+    _cd_CheckFW.dwBack2Addr = 0x00417B2A;
+    _cd_CheckFW.dwOriginalAddr = 0x00417B25;
+
+    // SaveAsOutputData
+    _cd_SaveAsOutputData.myCall = Call_MySaveAsOutputData;
+    _cd_SaveAsOutputData.dwBack2Addr = 0x00417B2A;
+    _cd_SaveAsOutputData.dwOriginalAddr = 0x00417B25;
+}
+
+// 劫持原始地址;
+BOOL HijackedCall(CALLDATA *pCallData)
+{
+    if ( !pCallData )
+        return FALSE;
+
+    memset(pCallData->szMyCallData, 0, CALL_LEN);
+    pCallData->szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
+    *(LPDWORD)(&pCallData->szMyCallData[1]) = (DWORD)pCallData->myCall - pCallData->dwOriginalAddr - CALL_LEN;
+
+    HANDLE hProc = GetCurrentProcess();
+    // 将要劫持的地址指令备份下来;
+    memset(pCallData->szOriginalAddrData, 0, CALL_LEN);
+    if ( !ReadProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szOriginalAddrData, CALL_LEN, NULL) )
+    {
+        MessageBox(NULL, _T("读取内存失败"), _T("提示"),MB_OK);
+        return FALSE;
+    }
+
+    // 将我们的Call地址指令写入目标地址;
+    if ( !WriteProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szMyCallData, CALL_LEN, NULL) )
+    {
+        MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
+        return FALSE;
+    }
+
+    return TRUE;
+}
 
-// 旧的Call备份;
-BYTE byOldCall[5] = {0};
+// 劫持原始地址;
+BOOL HijackedCall(LPVOID MyCall, LPVOID OriginalCall, BYTE (&szOriginalCallData)[CALL_LEN])
+{
+    BYTE szMyCallData[CALL_LEN] = {0};
+    szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
+    *(LPDWORD)(&szMyCallData[1]) = (DWORD)MyCall - (DWORD)OriginalCall - CALL_LEN;
+
+    HANDLE hProc = GetCurrentProcess();
+    // 将要劫持的地址指令备份下来;
+    if ( !ReadProcessMemory(hProc, OriginalCall, szOriginalCallData, CALL_LEN, NULL) )
+    {
+        MessageBox(NULL, _T("读取内存失败"), _T("提示"),MB_OK);
+        return FALSE;
+    }
+
+    // 将我们的Call地址指令写入目标地址;
+    if ( !WriteProcessMemory(hProc, OriginalCall, szMyCallData, CALL_LEN, NULL) )
+    {
+        MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
+        return FALSE;
+    }
+
+    return TRUE;
+}
 
 void __declspec(naked) Call_MySaveAsOutputData()
 {
@@ -44,8 +129,8 @@ void __declspec(naked) Call_MySaveAsOutputData()
         mov dwEDI, EDI;
         // my call
         mov eax,0x004AB3FC
-        mov dl,1
-        call dword ptr[eax]
+            mov dl,1
+            call dword ptr[eax]
         // 恢复寄存器; 
         mov EAX, dwEAX;
         mov EBX, dwEBX;
@@ -61,8 +146,7 @@ void __declspec(naked) Call_MySaveAsOutputData()
 }
 
 
-DWORD dwGoNextAddr = 0x00417B2A;
-void __declspec(naked) MyGo()
+void __declspec(naked) Call_MyGo()
 {
     // 备份寄存器;
     __asm{
@@ -92,32 +176,152 @@ void __declspec(naked) MyGo()
         mov ESI, dwESI;
         mov EDI, dwEDI;
         // 最后返回原Call地址下一行;
-        jmp dwGoNextAddr;
+        jmp _cd_Go.dwBack2Addr;
     }
 }
 
-// 00417A84
-// 00417B25 | E8 FA9F0E00          | call demo.501B24                        |
-void Call_MyGo()
+void __declspec(naked) Call_MyConnect()
 {
-    BYTE szMyCall[5] = {0};
-    szMyCall[0] = 0xE9; // 硬编码：jmp或call
-    *(LPDWORD)(&szMyCall[1]) = (DWORD)MyGo - 0x00417B25 - 5;
+    // 备份寄存器;
+    __asm{
+        // 保存寄存器;
+        mov dwEAX, EAX;
+        mov dwEBX, EBX;
+        mov dwECX, ECX;
+        mov dwEDX, EDX;
+        mov dwEBP, EBP;
+        mov dwESP, ESP;
+        mov dwESI, ESI;
+        mov dwEDI, EDI;
+    }
 
-    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
-    // 将要Hook的地址指令备份下来;
-    if ( !ReadProcessMemory(GetCurrentProcess(), (LPVOID)0x00417B25, byOldCall, 5, NULL) )
-    {
-        MessageBox(NULL, _T("读取内存失败"), _T("提示"),MB_OK);
-        return;
+
+    MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);
+
+
+    __asm{
+        // 恢复寄存器; 
+        mov EAX, dwEAX;
+        mov EBX, dwEBX;
+        mov ECX, dwECX;
+        mov EDX, dwEDX;
+        mov EBP, dwEBP;
+        mov ESP, dwESP;
+        mov ESI, dwESI;
+        mov EDI, dwEDI;
+        // 最后返回原Call地址下一行;
+        jmp _cd_Go.dwBack2Addr;
     }
+}
 
-    // 将我们的Call地址指令写入目标地址;
-    if ( !WriteProcessMemory(hProc, (LPVOID)0x00417B25, szMyCall, 5, NULL) )
-    {
-        MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
-        return;
+void __declspec(naked) Call_MyDisconnect()
+{
+    // 备份寄存器;
+    __asm{
+        // 保存寄存器;
+        mov dwEAX, EAX;
+        mov dwEBX, EBX;
+        mov dwECX, ECX;
+        mov dwEDX, EDX;
+        mov dwEBP, EBP;
+        mov dwESP, ESP;
+        mov dwESI, ESI;
+        mov dwEDI, EDI;
+    }
+
+
+    MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);
+
+
+    __asm{
+        // 恢复寄存器; 
+        mov EAX, dwEAX;
+        mov EBX, dwEBX;
+        mov ECX, dwECX;
+        mov EDX, dwEDX;
+        mov EBP, dwEBP;
+        mov ESP, dwESP;
+        mov ESI, dwESI;
+        mov EDI, dwEDI;
+        // 最后返回原Call地址下一行;
+        jmp _cd_Go.dwBack2Addr;
+    }
+}
+
+void __declspec(naked) Call_MyCheckFW()
+{
+    // 备份寄存器;
+    __asm{
+        // 保存寄存器;
+        mov dwEAX, EAX;
+        mov dwEBX, EBX;
+        mov dwECX, ECX;
+        mov dwEDX, EDX;
+        mov dwEBP, EBP;
+        mov dwESP, ESP;
+        mov dwESI, ESI;
+        mov dwEDI, EDI;
+    }
+
+
+    MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);
+
+
+    __asm{
+        // 恢复寄存器; 
+        mov EAX, dwEAX;
+        mov EBX, dwEBX;
+        mov ECX, dwECX;
+        mov EDX, dwEDX;
+        mov EBP, dwEBP;
+        mov ESP, dwESP;
+        mov ESI, dwESI;
+        mov EDI, dwEDI;
+        // 最后返回原Call地址下一行;
+        jmp _cd_Go.dwBack2Addr;
+    }
+}
+
+void __declspec(naked) SetChannel()
+{
+    // 备份寄存器;
+    __asm{
+        // 保存寄存器;
+        mov dwEAX, EAX;
+        mov dwEBX, EBX;
+        mov dwECX, ECX;
+        mov dwEDX, EDX;
+        mov dwEBP, EBP;
+        mov dwESP, ESP;
+        mov dwESI, ESI;
+        mov dwEDI, EDI;
+    }
+
+
+    MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);
+
+
+    __asm{
+        // 恢复寄存器; 
+        mov EAX, dwEAX;
+        mov EBX, dwEBX;
+        mov ECX, dwECX;
+        mov EDX, dwEDX;
+        mov EBP, dwEBP;
+        mov ESP, dwESP;
+        mov ESI, dwESI;
+        mov EDI, dwEDI;
+        // 最后返回原Call地址下一行;
+        jmp _cd_Go.dwBack2Addr;
     }
+}
+
+void SetSN(LPCTSTR lpSN)
+{
+
+}
+
+void ChangeSDK(int nSDK)   // 0=410SDK, 1=310SDK;
+{
 
-    MessageBox(NULL, _T("替换成功"), _T("提示"), MB_OK);
 }

Source/Assist/Assist/Assist.h

@@ -1,12 +1,33 @@
 #include "stdafx.h"
 
-// 定义跳转函数;
-void Call_MyDisconnect();
-void Call_MyConnect();
-void Call_MyGo();
-void Call_MyCheckFW();
-void Call_MySaveAsOutputData();
-// 其他函数;
-void SetChannel(int nChannel);
-void SetSN(LPCTSTR lpSN);
-void ChangeSDK(int nSDK);   // 0=410SDK, 1=310SDK;
+#define CALL_LEN 5
+
+typedef struct __CALL_DATA__
+{
+    LPVOID  myCall;                             // 劫持地址;
+    DWORD   dwOriginalAddr;                     // 被劫持的原始地址;
+    DWORD   dwBack2Addr;                        // 劫持Call完成后要返回的原始地址的下一地址;
+    BYTE    szMyCallData[CALL_LEN];             // 劫持Call的硬编码数据;
+    BYTE    szOriginalAddrData[CALL_LEN];       // 被劫持的原始Call数据备份;
+
+    __CALL_DATA__() {
+        myCall = NULL;
+        dwBack2Addr = 0;
+        dwOriginalAddr = 0;
+        memset(szMyCallData, 0, CALL_LEN);
+        memset(szOriginalAddrData, 0, CALL_LEN);
+    }
+}CALLDATA, *LPCALLDATA;
+
+// 全局参数;
+extern CALLDATA _cd_Go;
+extern CALLDATA _cd_Connect;
+extern CALLDATA _cd_Disconnect;
+extern CALLDATA _cd_CheckFW;
+extern CALLDATA _cd_SaveAsOutputData;
+
+
+
+void InitCallData();
+BOOL HijackedCall(CALLDATA *pCallData);
+BOOL HijackedCall(LPVOID MyCall, LPVOID OriginalCall, BYTE (&szOriginalCallData)[CALL_LEN]);

Source/Assist/Assist/Assist.rc

@@ -52,13 +52,14 @@ END
 // Dialog
 //
 
-IDD_DLG_ASSIST DIALOGEX 0, 0, 316, 182
-STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU
+IDD_DLG_ASSIST DIALOGEX 0, 0, 317, 182
+STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
+EXSTYLE WS_EX_TOPMOST
 CAPTION "Dialog"
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
     DEFPUSHBUTTON   "È·¶¨",IDOK,205,161,50,14
-    PUSHBUTTON      "È¡Ïû",IDCANCEL,259,161,50,14
+    PUSHBUTTON      "È¡Ïû",IDCANCEL,260,161,50,14
     PUSHBUTTON      "SaveAsOutputData",BTN_SAVE_AS_OUTPUT_DATA,19,18,92,14
     PUSHBUTTON      "MyGo",BTN_GO,27,43,50,14
 END
@@ -75,7 +76,7 @@ BEGIN
     IDD_DLG_ASSIST, DIALOG
     BEGIN
         LEFTMARGIN, 7
-        RIGHTMARGIN, 309
+        RIGHTMARGIN, 310
         TOPMARGIN, 7
         BOTTOMMARGIN, 175
     END

Source/Assist/Assist/dllmain.cpp

@@ -33,7 +33,18 @@ BOOL APIENTRY DllMain( HMODULE hModule,DWORD  ul_reason_for_call,LPVOID lpReserv
 void __cdecl MyWinThread(LPVOID lpParam)
 {
     g_hDlgWnd = CreateDialogParam(g_hModule, MAKEINTRESOURCE(IDD_DLG_ASSIST), NULL, DialogProc, NULL);
-    ShowWindow(g_hDlgWnd, SW_SHOW);
+
+    RECT rtDlg;
+    GetWindowRect(g_hDlgWnd, &rtDlg);
+
+    int nScreenX = GetSystemMetrics(SM_CXSCREEN);
+    int nScreenY = GetSystemMetrics(SM_CYSCREEN);
+
+    // 在资源中设置窗口属性为TopMost才能置顶;
+    SetWindowPos(g_hDlgWnd, HWND_TOP, nScreenX / 2 - rtDlg.right/2, nScreenY/2 - rtDlg.bottom/2, 0, 0, SWP_NOSIZE|SWP_SHOWWINDOW);
+    // 设置鼠标样式;
+    //HACCEL hAccelTable = LoadAccelerators(hInstance, MAKEINTRESOURCE(IDC_GUITEST));
+    //ShowWindow(g_hDlgWnd, SW_SHOW);
 
     MSG msg;
     while (GetMessage(&msg, NULL, 0, 0))
@@ -59,6 +70,7 @@ BOOL CALLBACK DialogProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
     switch(uMsg)
     {
     case WM_INITDIALOG:
+        InitCallData();
         break;
     case WM_CLOSE:
         DestroyWindow(hwndDlg);
@@ -82,10 +94,14 @@ BOOL CALLBACK DialogProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
                 MessageBox(hwndDlg, _T("取消"), _T("单击"), MB_OK);
                 break;
             case BTN_SAVE_AS_OUTPUT_DATA:
-                Call_MySaveAsOutputData();
                 break;
             case BTN_GO:
-                Call_MyGo();
+                {
+                    if ( HijackedCall(&_cd_Go) )
+                    {
+                        MessageBox(hwndDlg, _T("劫持Call成功"), _T("劫持"), MB_OK);
+                    }
+                }
                 break;
             default:
                 break;